FBI Director Asks Private Sector for IT Security Help

Mueller says trust between corporations and government necessary for secure systems

• By Matt Migliore
• 11/13/2002

Mueller’s statements reflect a growing trend in the United States post 9/11, as the government continues to push hard for enterprises to participate in the effort to protect information systems from malicious attacks.

The National Strategy to Secure Cyberspace, which was released in September, first presented the idea of a working relationship between the U.S. government and the private sector. (To read that document, visit http://www.whitehouse.gov/pcipb/cyberstrategy-draft.html.) Ever since, government officials have been aggressively courting the private sector for help on the IT security front. Mueller’s comments to the ITAA are just the latest installment of this ongoing effort.

During his address, Mueller said, “A new category of crime that includes computer intrusions, denial of service attacks, attacks on the Internet Domain Name System, and cyber terrorism” require the government and private sector to work together. Furthermore, he said, “[These types of attacks] have the potential to ruin businesses, cause staggering financial losses, threaten our national security, and even cost lives.”

According to Mueller, the FBI will be reorganizing itself to work with the newly formed Department of Homeland Security and the Secret Service to address IT security. Still, Mueller says cooperation from the private sector is critical. “I want to talk about the partnership that is needed to get the job done, and how we can build trust, share information, and ultimately benefit from each others' strengths,” directly addressing the audience, which was comprised primarily of corporate leaders from the private sector.

Mark Rasch, senior vice president and chief security counsel for managed security provider Solutionary, was at the ITAA briefing. He characterizes the moves the FBI is making to restructure its IT security operations as fairly significant.

Rasch, who served as the head of the Justice Department’s computer crimes unit prior to joining Solutionary, says, “The FBI fundamentally is trying to reinvent itself in the information security sector from an investigative agency focusing on computer crime and financial crime to an infrastructure protection agency.”

However, in order to do this, he says the FBI needs help. “Such a shift requires a fundamentally different skill set, and requires the FBI to become involved with potential victims long before a crime may take place. It also requires a level of trust between the private sector and the law enforcement agencies that, until now, has not existed.”

One of the more formidable obstacles the FBI has to overcome to initiate a symbiotic relationship with corporate America is the concept of information sharing. The FBI would like companies to share details of attacks on their systems to assist the agency in its research. Companies have been hesitant to do so, fearing the information may be leaked and ultimately reveal security vulnerabilities and hurt stock prices.

Right now, Mueller says the FBI estimates it is only getting reports for about one-third of actual unauthorized intrusions into computers or networks. While he says he understands the concerns companies have about reporting sensitive information, improvement is needed. “Above all, I hope we will make progress on these concerns today and establish some genuine trust,” he noted.Although the government has been putting demands on the private sector as part of its IT security strategy, it has not suggested new legislation will be part of its efforts in this area. Rasch believes mandated security requirements in the form of new legislation is an unlikely scenario for most of the private sector.

“The overall government cyber-security plan does not anticipate any new legislation, and with the Republican congress, government mandates are less likely,” says Rasch. “In some regulatory arenas—banking, health care, and possibly energy—new regulation may take effect, but nothing is likely to happen until the Department of Homeland Security has an opportunity to organize.”

Mueller’s speech shows just how important private sector buy-in is. If government agencies aren’t able to get it without formal legislation, new laws requiring certain levels of disclosure for security threats may become a necessity.

“More than 80 percent of the critical infrastructure is in the hands of the private sector,” says Rasch. “The only way to protect it is with the private sector cooperation. This means establishing standards, dedicating resources, and getting buy in from all of the critical infrastructures across the world.”